The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2020-7785 | This affects all versions of package node-ps. The injection point is located in line 72 in lib/index.js. | HIGH | Feb 11, 2021 | n/a |
| CVE-2021-23771 | This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object\'s prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878). | MEDIUM | Mar 17, 2022 | n/a |
| CVE-2020-28445 | This affects all versions of package npm-help. The injection point is located in line 13 in index.js file in export.latestVersion() function. | -- | Jul 25, 2022 | n/a |
| CVE-2020-28453 | This affects all versions of package npos-tesseract. The injection point is located in line 55 in lib/ocr.js. | -- | Aug 2, 2022 | n/a |
| CVE-2021-23377 | This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | HIGH | Apr 18, 2021 | n/a |
| CVE-2022-21230 | This affects all versions of package org.nanohttpd:nanohttpd. Whenever an HTTP Session is parsing the body of an HTTP request, the body of the request is written to a RandomAccessFile when the it is larger than 1024 bytes. This file is created with insecure permissions that allow its contents to be viewed by all users on the host machine. **Workaround:** Manually specifying the -Djava.io.tmpdir= argument when launching Java to set the temporary directory to a directory exclusively controlled by the current user can fix this issue. | LOW | May 2, 2022 | n/a |
| CVE-2020-7749 | This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read. | -- | Oct 20, 2020 | n/a |
| CVE-2021-23673 | This affects all versions of package pekeupload. If an attacker induces a user to upload a file whose name contains javascript code, the javascript code will be executed. | MEDIUM | Nov 24, 2021 | n/a |
| CVE-2020-7739 | This affects all versions of package phantomjs-seo. It is possible for an attacker to craft a url that will be passed to a PhantomJS instance allowing for an SSRF attack. | -- | Oct 6, 2020 | n/a |
| CVE-2021-23378 | This affects all versions of package picotts. If attacker-controlled user input is given to the say function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | HIGH | Apr 18, 2021 | n/a |
| CVE-2021-23359 | This affects all versions of package port-killer. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command touch success to be executed, leading to the creation of a file called success. | MEDIUM | Mar 18, 2021 | n/a |
| CVE-2021-23379 | This affects all versions of package portkiller. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | HIGH | Apr 18, 2021 | n/a |
| CVE-2022-21211 | This affects all versions of package posix. When invoking the toString method, it will fallback to 0x0 value, as the value of toString is not invokable (not a function), and then it will crash with type-check. | MEDIUM | Jun 10, 2022 | n/a |
| CVE-2021-23426 | This affects all versions of package Proto. It is possible to inject pollute the object property of an application using Proto by leveraging the merge function. | MEDIUM | Sep 1, 2021 | n/a |
| CVE-2021-23355 | This affects all versions of package ps-kill. If (attacker-controlled) user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file. PoC (provided by reporter): var ps_kill = require(\'ps-kill\'); ps_kill.kill(\'$(touch success)\',function(){}); | HIGH | Mar 16, 2021 | n/a |
| CVE-2021-23374 | This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | HIGH | Apr 18, 2021 | n/a |
| CVE-2021-23375 | This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | HIGH | Apr 18, 2021 | n/a |
| CVE-2021-23338 | This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function. | MEDIUM | Feb 16, 2021 | n/a |
| CVE-2020-7787 | This affects all versions of package react-adal. It is possible for a specially crafted JWT token and request URL can cause the nonce, session and refresh values to be incorrectly validated, causing the application to treat an attacker-generated JWT token as authentic. The logical defect is caused by how the nonce, session and refresh values are stored in the browser local storage or session storage. Each key is automatically appended by ||. When the received nonce and session keys are generated, the list of values is stored in the browser storage, separated by ||, with || always appended to the end of the list. Since || will always be the last 2 characters of the stored values, an empty string () will always be in the list of the valid values. Therefore, if an empty session parameter is provided in the callback URL, and a specially-crafted JWT token contains an nonce value of (empty string), then adal.js will consider the JWT token as authentic. | MEDIUM | Dec 11, 2020 | n/a |
| CVE-2020-7696 | This affects all versions of package react-native-fast-image. When an image with source={{uri: ..., headers: { host: somehost.com, authorization: ... }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers. | MEDIUM | Jul 17, 2020 | n/a |
| CVE-2021-23380 | This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | HIGH | Apr 18, 2021 | n/a |
| CVE-2020-7686 | This affects all versions of package rollup-plugin-dev-server. There is no path sanitization in readFile operation inside the readFileFromContentBase function. | MEDIUM | Jul 27, 2020 | n/a |
| CVE-2020-7684 | This affects all versions of package rollup-plugin-serve. There is no path sanitization in readFile operation. | HIGH | Jul 17, 2020 | n/a |
| CVE-2020-7683 | This affects all versions of package rollup-plugin-server. There is no path sanitization in readFile operation performed inside the readFileFromContentBase function. | MEDIUM | Jul 27, 2020 | n/a |
| CVE-2020-28424 | This affects all versions of package s3-kilatstorage. | -- | Aug 5, 2022 | n/a |
| CVE-2020-7710 | This affects all versions of package safe-eval. It is possible for an attacker to run an arbitrary command on the host machine. | HIGH | Aug 21, 2020 | n/a |
| CVE-2022-0749 | This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter. | HIGH | Mar 17, 2022 | n/a |
| CVE-2020-28443 | This affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js. | -- | Jul 25, 2022 | n/a |
| CVE-2020-7782 | This affects all versions of package spritesheet-js. It depends on a vulnerable package platform-command. The injection point is located in line 32 in lib/generator.js, which is triggered by main entry of the package. | HIGH | Feb 11, 2021 | n/a |
| CVE-2021-23404 | This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a Cross Site Request Forgery (CSRF) attack. | MEDIUM | Sep 8, 2021 | n/a |
| CVE-2022-25848 | This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. | -- | Dec 1, 2022 | n/a |
| CVE-2020-7784 | This affects all versions of package ts-process-promises. The injection point is located in line 45 in main entry of package in lib/process-promises.js. The vulnerability is demonstrated with the following PoC: | -- | Jan 8, 2021 | n/a |
| CVE-2020-7685 | This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies. | MEDIUM | Jul 29, 2020 | n/a |
| CVE-2020-7694 | This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it\'s been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn\'s access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that\'s displaying the logs (either in real time or from a file). | MEDIUM | Jul 27, 2020 | n/a |
| CVE-2021-23399 | This affects all versions of package wincred. If attacker-controlled user input is given to the getCredential function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | HIGH | Jul 1, 2021 | n/a |
| CVE-2021-23452 | This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object. | HIGH | Oct 20, 2021 | n/a |
| CVE-2020-28447 | This affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath) | -- | Jul 25, 2022 | n/a |
| CVE-2023-26120 | This affects all versions of the package com.xuxueli:xxl-job. HTML uploaded payload executed successfully through /xxl-job-admin/user/add and /xxl-job-admin/user/update. | -- | Apr 10, 2023 | n/a |
| CVE-2018-11758 | This affects Apache Cayenne 4.1.M1, 3.2.M1, 4.0.M2 to 4.0.M5, 4.0.B1, 4.0.B2, 4.0.RC1, 3.1, 3.1.1, 3.1.2. CayenneModeler is a desktop GUI tool shipped with Apache Cayenne and intended for editing Cayenne ORM models stored as XML files. If an attacker tricks a user of CayenneModeler into opening a malicious XML file, the attacker will be able to instruct the XML parser built into CayenneModeler to transfer files from a local machine to a remote machine controlled by the attacker. The cause of the issue is XML parser processing XML External Entity (XXE) declarations included in XML. The vulnerability is addressed in Cayenne by disabling XXE processing in all operations that require XML parsing. | MEDIUM | Aug 22, 2018 | n/a |
| CVE-2019-3797 | This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly. | Medium | May 7, 2019 | n/a |
| CVE-2019-3802 | This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied. | MEDIUM | Jun 3, 2019 | n/a |
| CVE-2020-7761 | This affects the package @absolunet/kafe before 3.2.10. It allows cause a denial of service when validating crafted invalid emails. | -- | Nov 5, 2020 | n/a |
| CVE-2020-28472 | This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context. | HIGH | Jan 19, 2021 | n/a |
| CVE-2020-7765 | This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. | -- | Nov 16, 2020 | n/a |
| CVE-2021-23326 | This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection. | HIGH | Jan 22, 2021 | n/a |
| CVE-2020-28470 | This affects the package @scullyio/scully before 1.0.9. The transfer state is serialised with the JSON.stringify() function and then written into the HTML page. | MEDIUM | Jan 14, 2021 | n/a |
| CVE-2021-23497 | This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821 | HIGH | Feb 9, 2022 | n/a |
| CVE-2020-7748 | This affects the package @tsed/core before 5.65.7. This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. | MEDIUM | Oct 21, 2020 | n/a |
| CVE-2022-25854 | This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload. | MEDIUM | Apr 30, 2022 | n/a |
| CVE-2021-23423 | This affects the package bikeshed before 3.0.0. This can occur when an untrusted source file containing include, include-code or include-raw block is processed. The contents of arbitrary files could be disclosed in the HTML output. | MEDIUM | Aug 16, 2021 | n/a |
